#!/bin/csh -f # # Ivan - the Security Inventory # # This script performs a series of one-time security checks. # If you want periodic checks, run Walter every week, or Nigel # every night. # # To initialize tripwire you will need to set some configuration # variables (see below). # # Eric Myers - 11 November 1997 # Department of Physics, University of Michigan, Ann Arbor # Eric Myers - 11 November 1997 # Department of Physics and Astronomy, Vassar College, Poughkeepsie, NY # Copyright (C) 1997,2003 by Eric Myers, all rights reserved. # @(#) $Id: Ivan,v 2.13 2008/09/13 17:05:54 myers Exp myers $ ####################################################################### # Configuration: # Set the path just to what is needed, nothing else: set path=( /usr/local/adm /usr/local/bin /usr/local/sbin /bin /usr/bin ) set path=( $path /usr/sbin /usr/lib /usr/etc /usr/ucb /usr/bsd ) # Log and report files: umask 037 set TMP=/tmp/Ivan.$$ set LOG=/tmp/Ivan.out set HOSTNAME=`hostname | awk -F. '{print $1}'` set RPT=${HOSTNAME}-Ivan.rpt # How to print a file, indented set INDENT="pr -o 4 -t " # System stuff may need changing: set UNAME=`uname` # system type set XDEV=" -xdev " # may be " -mount" on some systems? if ( "$UNAME" == "IRIX" ) XDEV=" -mount" # This tells find command to ignore /proc, /afs, and /smb set NOFIND=" -path /proc -prune -o -path /afs -prune -o -path /smb -prune -o" ## # MAILX is mail/mailx or mush, with -s for subject # set MAILX="mail -s " # NeXT/Linux/Sun if ( -x /usr/bin/mailx ) then # HP-UX set MAILX="mailx -s " endif if ( -x /usr/local/bin/mush ) then # mush is prefered set MAILX="mush -s " endif # Tripwire configuration: set TWDIR=/usr/local/adm # execution directory set TWEXE=/usr/local/bin/tripwire # executable set TWCFG=/usr/local/adm/tw.config # config file & database set TWDBF=/usr/local/adm/databases/tw.db_${HOSTNAME} set TWSUID=/var/adm/tw.config.suid # list of suid root files # End Configuration ################################################## # Get ready... /bin/rm -f $LOG $TMP if ( -f $RPT ) newlog $RPT 3 set RCSVERS=`echo '$Revision: 2.13 $' | sed -e 's/Revision: //' -e 's/$\(.*\) \$/\1/'` ################################################## ## @(#)* Note OS version uname -s -r >$TMP if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: Operating System version/revision The OS (kernel) version (as reported by 'uname -s -r' ) is: EOT $INDENT $TMP >>$LOG endif cp /dev/null $TMP set RELFILES = `ls -1 /etc/*-release /etc/debian_version` if( "$RELFILES" != "" ) then foreach FILE ( ) # set OSVersion=`sed 's/\(Red Hat Linux \)\?release \([^ ]*\) (.*)/\2/' $FILE` cat $FILE >> $TMP echo " " >> $TMP end else uname -a >> $TMP endif if ( ! -z $TMP ) then cat <>$LOG The OS (release) version of this Unix distribution is: EOT $INDENT $TMP >>$LOG endif ################################################## ## @(#)* Check for proper forwarding of root's e-mail, etc... ## set MAILMTA="" if ( -x /usr/sbin/sendmail.sendmail ) then set MAILMTA="/usr/sbin/sendmail.sendmail -bv root " else if ( -x /usr/sbin/sendmail ) then set MAILMTA="/usr/sbin/sendmail -bv root " else if ( -x /usr/lib/sendmail ) then set MAILMTA="/usr/lib/sendmail -bv root " endif if ( "$MAILMTA" == "" ) then cat <>${LOG} ### WARNING: no Mail Transport Agent (MTA) found There does not seem to be a Mail Transport Agent (MTA) installed, such as sendmail. As a result it is not possible for root to reveive warning e-mail. Even if you don't run sendmail as a daemon, you should install it so that it can be used to send and deliver mail. EOT else # There *is* sendmail so use it to check that root's e-mail is forwarded set ROOT=`$MAILMTA | awk '$2 ~ /^deliverable/ {print $NF}'` if ( "$ROOT" == "root" ) set ROOT="" if ( "$ROOT" == "" ) then cat <>${LOG} ### WARNING: Root e-mail is not forwarded to a real person It is important that any e-mail sent to 'root' is actually read by someone in a timely fashion, so that problems can be dealt with quickly. E-mail to root can be forwarded either with a .forward file or an alias in the aliases database. Please set up such forwarding. EOT endif # And if there is a sendmail, check to see if it's running as a daemon # (Need to make this test more robust than just Linux) cp /dev/null $TMP if ( -f /var/run/sendmail.pid ) then set PID=`head -n 1 /var/run/sendmail.pid` ps $PID > $TMP endif if ( ! -z $TMP ) then cat <>$LOG ### WARNING: sendmail daemon is running This system is running the sendmail program as a daemon. This is only appropriate for mail servers, otherwise there is no need to run sendmail as a daemon. If you really want to run sendmail as a daemon then you must always keep the software up to date, as it is a common target for crackers. EOT endif endif ################################################## ## @(#)* Check root's home directory ## cp /dev/null $TMP set ROOTDIR=`awk -F: '$1 == "root" {print $6}' /etc/passwd` if ( "$ROOTDIR" == "/" ) then cat <>$LOG ### WARNING: superuser does not have a separate home directory The root account does not have a separate home directory. In olden times root's home was just / the root of the entire directory system, but a safer and more modern Unix practice is to give the superuser a separate home directory, such as /root or /var/root. You should seriously consider creating such a directory, copying to it the files and directories that need to be there (eg .bashrc or .cshrc files and .ssh/ subdirectory). Then edit /etc/passwd to change root's home directory. EOT else cat <>$LOG ### NOTICE: superuser home directory is $ROOTDIR EOT endif ################################################## ## @(#)* List authorized root SSH keys ## cp /dev/null $TMP if ( -d $ROOTDIR/.ssh ) then if ( -f $ROOTDIR/.ssh/authorized_keys ) then awk '{print $NF}' <$ROOTDIR/.ssh/authorized_keys >>$TMP endif if ( -f $ROOTDIR/.ssh/authorized_keys2 ) then awk '{print $NF}' <$ROOTDIR/.ssh/authorized_keys2 >>$TMP endif if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: root account SSH keys: The root account trusts the following Secure Shell (SSH) keys for remote access, most likely without requiring a password: EOT $INDENT $TMP >>$LOG cat <>$LOG You should be sure that these private keys are in safe hands, and that you trust the person(s) who have control of them enough to grant them root access to this machine. EOT endif endif ################################################## ## @(#)* Check that root/admin accounts have no name field in /etc/passwd ## cp /dev/null $TMP foreach USERNAME ( root bin daemon adm lp brerfox ) egrep "^${USERNAME}:" /etc/passwd | awk -F: '$5 != "" {print $1 FS $5}' >>$TMP end if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: root or daemon accounts have a name field In a networked environment it is useful to have e-mail from the root or daemon accounts of various machines displayed as being from "root@machine.name" or "daemon@machine.name". This won't happen if the account has a name field (a GCOS entry, such as "SuperUser" or "Operator" or "bin"). On this machine the following accounts have name fields (GCOS fields): EOT $INDENT $TMP >>$LOG cat <>$LOG Although this is a small point, you may find system administration much easier if you remove the name field for these users from the password file, or use a distinctive name which identifies the machine from which it came. EOT endif ################################################## ## @(#)* Check for /.rhosts file cp /dev/null $TMP if ( -r /.rhosts ) sed -e '/^#/d' -e '/^ *$/d' /.rhosts >>$TMP if ( -r /root/.rhosts ) sed -e '/^#/d' -e '/^ *$/d' /root/.rhosts >>$TMP if ( ! -z $TMP ) then cat <>${LOG} ### WARNING: /.rhosts or /root/.rhosts file exists This file allows the superuser (root) from the other machines listed in the file to log in to this machine without a password. This may be useful or even necessary in certain cases, but it can also pose a security risk: if someone breaks into one of those machines then they can get into this machine too. The list of "trusted" machines should therefore be kept as short as possible. In this case, the trusted hosts(s) are: EOT $INDENT $TMP >>${LOG} cat <>${LOG} Please check this list and remove any machine which does not need to be there. EOT endif ################################################## ## @(#)* Check for '+' in the /.rhosts file cp /dev/null $TMP if ( -r /.rhosts ) grep "+" /.rhosts >> $TMP if ( -r /root/.rhosts ) grep "+" /root/.rhosts >> $TMP if ( ! -z $TMP ) then cat <>$LOG ### DANGER: /.rhosts or /root/.rhosts contains '+' The file /.rhosts (or /root/.rhosts) contains "+", which grants unlimited rlogin access to any machine on the Internet. This is a gaping security hole, and is probably evidence of a break-in. Please check the rest of the system for other evidence of a break-in! EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Check for /etc/hosts.equiv file if ( -r /etc/hosts.equiv ) then cat <>${LOG} ### WARNING: /etc/hosts.equiv exists This file allows *ANY* user from the other machines listed to log in to this machine without giving a password. This level of "trust" poses a large security risk. It would be better to have each user select the hosts they trust for logins without passwords by creating their own .shosts file. See the hosts.equiv(5) manual page for more details. The list of "equivalent" hosts for this machine is: EOT $INDENT /etc/hosts.equiv >>${LOG} cat <>${LOG} You should seriously consider removing this file from the system. EOT endif ################################################## ## @(#)* Check for '+' in the /etc/hosts.equiv file cp /dev/null $TMP if ( -f /etc/hosts.equiv ) grep "+" /etc/hosts.equiv >>$TMP if ( ! -z $TMP ) then cat <>$LOG ### DANGER: /etc/hosts.equiv contains '+' The file /etc/hosts.equiv contains '+', which grants unlimited rlogin access to any machine on the Internet. This is a gaping security hole, and is probably evidence of a break-in. Please check the rest of the system for other evidence of a break-in! EOT endif rm -f $TMP ################################################## ## @(#)* Look for duplicate UID's cp /dev/null $TMP # can't use cut here as it's not available on NeXTstep awk -F: '{print $3}' /etc/passwd | sort -n | cat -sv | uniq -d > $TMP if ( ! -z $TMP ) then cat <>$LOG ### WARNING: duplicate UID in /etc/passwd Each user is supposed to have a unique user ID number (UID) but I have found the following duplicate entries in the password file: EOT $INDENT $TMP >>${LOG} cat <>$LOG Hackers sometimes sneak in alternate usernames for the root account (UID zero). You should be sure that the duplicates listed above are for a legitimate purpose, not the result of a break-in. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for empty user passwords cp /dev/null $TMP egrep "^[[:alnum:]]+::" /etc/passwd >> $TMP if ( -f /etc/shadow ) then egrep "^[[:alnum:]]+::" /etc/shadow >> $TMP endif if ( ! -z $TMP ) then cat <>$LOG ### WARNING: empty user password! It appears that a user on this system has an empty password, which makes it really easy for someone else to get in and then run a local exploit. Here's the evidence: EOT $INDENT $TMP >>${LOG} cat <>$LOG You should disable this account and verify that it has not already been used to break in. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for out of place files in /dev find /dev -path /dev/fd -prune -type f -print | grep -v /dev/MAKEDEV > $TMP if ( ! -z $TMP ) then cat <>$LOG ### WARNING: regular files found under /dev The /dev directory normally contains only device files, not regular files, but I have found the following under /dev: EOT $INDENT $TMP >>${LOG} cat <>$LOG Hackers often try to hide files under /dev where they will be missed among all those device files. You should check each file listed above to be sure that it actually belongs there. One file which has a legitimate place in /dev is MAKEDEV, which is used to build the device files for the system (there could possibly be some related files). But if it has been listed above, you should still check that it is a legitimate version of MAKEDEV. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for particular suid-root files set WATCHLIST=( /usr/sbin/rlpdaemon /opt/audio/bin/Aserver ) cp /dev/null $TMP foreach FILE ( $WATCHLIST ) if ( -f $FILE ) find $FILE -user root -perm -4000 -print >> $TMP end if ( ! -z $TMP ) then cat <>$LOG ### WARNING: SUID root files Security advisories have been issued for the following files, which have been found to be SUID root: EOT $INDENT $TMP >>${LOG} cat <>$LOG You should turn off the SUID bit on these files to close potential security holes. Even if you have turned them off before, they could have been turned back on by installing patches. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for evidence of intruders as per CS-98.04 cp /dev/null $TMP set nonomatch set WATCHLIST=( /dev/reset /.ncftp /dev/pfcf* /usr/lib/libsn.a ) foreach NAME ( $WATCHLIST ) if ( -e $NAME ) ls -ld $NAME >>$TMP end unset nonomatch if ( ! -z $TMP ) then cat <>$LOG ### DANGER: Possible intruder detected I have found files on this system which are commonly left by intruders using a 'kit' to break in to computers, as describe by CERT Summary CS-98.04. The files are: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP ####### # Find system log files: check for Linux, SunOS, HP-UX, NeXT, etc... set LOGLIST=( /usr/adm/messages /var/log/messages /var/log/syslog \ /var/adm/syslog/syslog.log /var/log/system.log ) set SYSLOGS="" foreach LOGFILE ( $LOGLIST ) if ( -f $LOGFILE ) set SYSLOGS=( $SYSLOGS $LOGFILE ) end if ( "$SYSLOGS" == "" ) then cat <>${LOG} ### WARNING: cannot find the system logs Unix systems can record system activity in log files such as /var/log/messages, but none of the standard log files have been found. The ones we check for are $LOGLIST Please check /etc/syslog.conf and add your log file to the list. EOT set SYSLOGS="/dev/null" endif ################################################## ## @(#)* Look for evidence of t0rnkit rootkit cp /dev/null $TMP set nonomatch set WATCHLIST=( /etc/ttyhash /usr/info/.t0rn /usr/src/.puta ) foreach NAME ( $WATCHLIST ) if ( -e $NAME ) ls -ld $NAME >>$TMP end unset nonomatch if ( -r /etc/rc.d.rc.sysinit ) then grep nscd /etc/rc.d/rc.sysinit >>$TMP endif if ( ! -z $TMP ) then cat <>$LOG ### DANGER: Possible intrusion detected I have found files on this system which are commonly left by intruders using the 't0rnkit' rootkit to break in to computers, as describe by CERT Incident Note IN-2000-10. The files are: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for trojan version of util-linux with hacked login cp /dev/null $TMP set nonomatch foreach LOGIN ( /bin/login /usr/bin/login ) if ( -f $LOGIN ) then strings $LOGIN | grep "HELO" >>$TMP endif end unset nonomatch if ( ! -z $TMP ) then cat <>$LOG ### Possible trojan version of /bin/login detected It appears that the version of /bin/login on this system may have been hacked. Output from the command strings /bin/login | grep "HELO" yields: EOT $INDENT $TMP >>$LOG cat <>$LOG A hacked version of the login program was included in a Trojan horse version of util-linux-2.9g.tar.gz which was placed on at least one ftp server between January 22, 1999, and January 24, 1999. This Trojan horse could have been distributed to mirror FTP sites. For more information see CERT Advisory CA-99-02-Trojan-Horses of 5 February 1999. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for evidence of the 'named w0rm' cp /dev/null $TMP find /tmp -name "*w0rm*" -print >>$TMP grep "w0rm" /etc/passwd >>$TMP if ( ! -z $TMP ) then cat <>$LOG ### Possible 'named w0rm' intrusion: I have found evidence of a break-in using a bug in the 'named' server, as described in CERT Summary CS-98.05. This may have lead to the propagation of a 'worm'. The break-in script adds a user named 'w0rm' to /etc/passwd and/or leaves files in /tmp with names containing 'w0rm'. Here is what I found: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for possibility of sadmind worm cp /dev/null $TMP if ( -e /etc/inetd.conf ) then grep sadmind /etc/inetd.conf | egrep -v "^#" >>$TMP endif if ( ! -z $TMP ) then cat <>$LOG ### Possible sadmind worm vulnerability: I have found an entry for 'sadmind' in /etc/inetd.conf. This means you may be vulnerable to the sadmind worm, which is described in CERT Advistory CA-2000-11. Please review http://www.cert.org/advisories/CA-2001-11.html to be sure that you are not vulnerable or have not been comprimised. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for attempts to break in # cp /dev/null $TMP set nonomatch # Look for telling syslog messages: egrep "SYN flood|unable to glue" $SYSLOGS >>$TMP egrep -ih "Dropped invalid comments from header address" $SYSLOGS >>$TMP # Anything found? Report it. if ( ! -z $TMP ) then cat <>$LOG ### Attempted break-in or attack: The system logs show the following attempts to crack into your system (they were most likely unsuccesful): EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP unset nonomatch ################################################## ## @(#)* Look for evidence of other common root compromises, worms # # References: CERT IN-99-05, CERT-CA-99-14, CERT IN-2001-01, CA-2001-01 # CERT-CA-2003-07 cp /dev/null $TMP set nonomatch # Look for new user accounts with reported names or names I've seen set WATCHLIST=( moof foom bionic Malk2 tox floryn ) foreach USER ( $WATCHLIST ) set X=`egrep "^${USER}:" /etc/passwd* ` if ( "$X" != "" ) echo $X >>$TMP end # Look for certain files or directories commonly installed # (globbing only allowed on the last line!) set WATCHLIST=( /tmp/bob /dev/bp /dev/sda69 /var/named/AMDROCKS /var/named/O ) set WATCHLIST=($WATCHLIST /var/log/lpd/.stel /bin/prick /tmp/m /tmp/ramen.tgz ) set WATCHLIST=($WATCHLIST /usr/src/.poop /sbin/asp /usr/sbin/asp ) set WATCHLIST=($WATCHLIST /usr/man/man1/man1/lib/.lib/.x /dev/pts/01 ) set WATCHLIST=($WATCHLIST /dev/.lib /usr/src/.put /usr/info/.torn /tmp/.cheese ) set WATCHLIST=($WATCHLIST /dev/.shit /usr/bin/adore /tmp/.unlock.c /tmp/.update.c ) set WATCHLIST=($WATCHLIST /dev/tttyy/.kore /sbin/korelkm.o /usr/src/.vela ) set WATCHLIST=($WATCHLIST /tmp/.*bugtraq* /tmp/.cinik* /usr/.zk ) set WATCHLIST=($WATCHLIST /var/tmp/.r /var/lib/zlib.pl1 /usr/lib/linux.pid ) set WATCHLIST=($WATCHLIST /var/tmp/sir /dev/pd ) set WATCHLIST=($WATCHLIST /usr/bin/kswaps /usr/bin/scats /usr/man/man8/tty ) foreach FILE ( $WATCHLIST ) if ( -e $FILE ) ls -latR $FILE >>$TMP end # Look for dot files/directories with spaces at end find / $NOFIND -name '.* ' -exec ls -ld {} \; >> $TMP # Look for dot files/directories with spaces in name find / $NOFIND -name '.* *' -exec ls -ld {} \; >> $TMP # Look for badstuff in inetd.conf if ( -e /etc/inetd.conf ) then grep /sbin/asp /etc/inetd.conf >>$TMP endif # Anything found? Report it. if ( ! -z $TMP ) then cat <>$LOG ### Possible Linux break-in or attempted break-in: I have found evidence of a possible break-in or attempted break-in, probably using a recent buffer overflow exploit. Here is what was found: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP unset nonomatch ################################################## ## @(#)* Check for HP-UX 9.x 'hidden' (context dependent) files ## (They are no longer used in HP-UX 10.x, so only check 9.x systems) cp /dev/null $TMP if ( -f /hp-ux ) then find / $NOFIND $XDEV -type H -print >$TMP if ( ! -z $TMP ) then echo "### WARNING: Hidden HP files" >>${LOG} echo " " >>${LOG} $INDENT $TMP >>${LOG} echo " " >>${LOG} endif rm -f $TMP endif ################################################## ## @(#)* Check for old configuration files replaced by rpm if ( "`uname`" == "Linux" ) then set RPMPATTERN='*.rpm[nos]*' cp /dev/null $TMP ( find /etc $XDEV -name "$RPMPATTERN" -print|grep -v rpmspec >>$TMP ) >>&/dev/null ( find /var $XDEV -name "$RPMPATTERN" -print|grep -v rpmspec >>$TMP ) >>&/dev/null ( find /usr $XDEV -name "$RPMPATTERN" -print|grep -v rpmspec >>$TMP ) >>&/dev/null if ( ! -z $TMP ) then cat <>$LOG ### WARNING: configuration files replaced by rpm The files listed here are probably left over from an rpm install. They could contain valuable configuration information which has been replaced by a more generic (and less secure) configuration. EOT $INDENT $TMP >>${LOG} cat <>$LOG You should inspect each file and adjust the corresponding configuration file accordingly. Once you are convinced that the file is correct you should delete the .rpmsave|.rpmorig file to keep from getting this warning again. EOT endif rm -f $TMP endif ################################################## ## @(#)* List NFS exports cp /dev/null $TMP showmount -e | grep 'everyone' >> $TMP if ( ! -z $TMP ) then cat <>$LOG ### WARNING: NFS filesystem exported to the world! This machine appears to be exporting filesystem(s) to anybody using NFS! Here are the filesystems being exported by ${HOSTNAME}: EOT $INDENT $TMP >>${LOG} echo " " >>${LOG} rm -f $TMP cat <>$LOG This means that anybody can mount your filesystem and perhaps alter it. You should change /etc/exports to only export to machines you can trust. EOT endif ################################################## ## @(#)* List all NFS exports cp /dev/null $TMP showmount -e | egrep -v '^Export list for' > $TMP #if ( "`uname`" == "Linux" ) then # sed -e '/^#/d' -e '/^ *$/d' /etc/exports > $TMP #else # exportfs | grep -v "nothing exported" > $TMP #endif if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: List of NFS exports This machine appears to be exporting filesystem(s) using NFS. This is normal, but there could be problems. Check the list below to be sure that you are only exporting to the hosts you intended. Exporting a filesystem to the whole Net is a serious but common problem. Here are the filesystems being exported by ${HOSTNAME}: EOT $INDENT $TMP >>${LOG} echo " " >>${LOG} rm -f $TMP endif ################################################## ## @(#)* List /etc/inetd.conf, look for specific problems: if ( -e /etc/inetd.conf) then sed -e 's/\#.*$//' -e '/^#/d' -e '/^ *$/d' /etc/inetd.conf | awk '$7 !~ /\/bogus/ {print}' > $TMP if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: inetd services Many internet services are coordinate by the inetd program. The file /etc/inetd.conf lists thoses services which are offered by your machine via inetd. You should remove services you do not need. Here are the active contents of /etc/inetd.conf: EOT $INDENT $TMP >>${LOG} cat <>$LOG Please review the services listed, and either remove or comment out those you do not need. EOT ###################### # Check for specifics: # @(#) imapd set X=`grep imap $TMP | grep -v bogus` if ( "$X" != "" ) then cat <>${LOG} * NOTE on imap: imapd is a program for serving e-mail to a remote client via the IMAP protocol. Recent security problems are documented in CERT Advisory CA-98.09 of 20 July 1998. This vulnerability affects all IMAP4rev1 servers prior to v10.234. v10.234 may or may not be vulnerable; if it came from Pine 4.00 or from any imap-4.1.BETA then it is vulnerable. IMAP2bis servers are immune. Please review the advisory and make sure that you are not running a vulnerable imapd. EOT endif # @(#) qpopper set X=`grep pop $TMP | grep -v bogus` if ( "$X" != "" ) then cat <>${LOG} * NOTE on pop: A popper is a program for serving e-mail to a remote client via the PostOffice Protocol (POP). Recent security problems are documented in CERT Advisory CA-98.08 of 14 July 1998. Versions 2.4 and earlier of the Qualcom popper (qpopper) are vulnerable. Please review that advisory and make sure that you are not running a vulnerable popper. EOT endif # @(#) named set X=`grep domain $TMP | grep -v bogus` if ( "$X" != "" ) then cat <>${LOG} * NOTE on domain service: The named program is a part of the BIND nameserver - it translates host names into IP addresses. There are serious security problems with all versions of BIND prior to BIND release 4.9.7 and BIND release 8.1.2 (there are two separate releases of BIND currently being maintained). This is detailed in CERT Advisory CA-98.05 of 8 April 1998. You should seriously consider disabling this service. Most Unix machines don't need to run a nameserver, they can query a central nameserver which is likely to have more up-to-date information. Simply put the IP addresses (not names) of your local nameservers in the file /etc/resolv.conf to use the remote nameserver. EOT endif # @(#) telnetd set X=`grep telnet $TMP | grep -v bogus` if ( "$X" != "" ) then cat <>${LOG} * NOTE on telnetd: the telnet protocol is inherently insecure because it sends passwords as unencrypted text over the network. Hackers use "sniffer" programs to capture passwords this way. It is much better to switch to the Secure Shell Protocol (SSH). See http://feynman.physics.lsa.umich.edu/~myers/help/SecureShell.html, http://www.openssh.com/ or http://www.ssh.fi/ for further information. You should try to use SSH instead of telnet and turn telnetd off. EOT endif # @(#) echo/chargen set X=`egrep 'echo|chargen' $TMP | grep -v bogus` if ( "$X" != "" ) then cat <>${LOG} * NOTE on echo/chargen: echo and chargen have both been used in recent "Denial of Service" (DoS) attacks using IP spoofing. Your computer could be tricked into echoing signals to another innocent victim computer. Since echo and chargen are not really needed for anything important you should consider disabling them. EOT endif # Ending notes: # @(#) remember to HUP inetd cat <>$LOG * NOTE 1 on inetd: Changes to /etc/inetd.conf will not take effect until you reboot or send a 'HUP' signal to the inetd. The command to send a 'HUP' to the daemon is kill -HUP where is the process ID number of inetd. * NOTE 2 on inetd: The inetd controls many network services, but not all. For example, the portmap daemon coordinates Sun RPC services, such as NFS mounts and exports, and other programs may control network services directly (such as an X server). Don't assume that inetd controls all network services, even though it does control many. EOT endif endif /bin/rm -f $TMP ################################################## ## @(#)* List world writeable directories (in selected areas) cp /dev/null $TMP set WDIRLIST=( /var /usr /etc /bin /lib /dev /sbin /lbin ) set WDIRLIST=( $WDIRLIST /usr/local /tmp ) foreach DIR ( $WDIRLIST ) if ( -d $DIR ) then find $DIR $XDEV -type d -perm -0002 -print >>$TMP endif end set WDIRLIST=( /users /Users /home ) foreach DIR ( $WDIRLIST ) if ( -d $DIR ) then find $DIR $XDEV -type d -perm -0002 -print >>$TMP endif end if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: World writeable DIRECTORIES The DIRECTORIES listed below can be written to by any user. This is the correct setting for some of them (such as /tmp and /var/tmp, or the directories for cat'd man pages or TeX fonts) but there may be some directories which have the wrong protections and should be changed. Please review the list carefully. EOT $INDENT $TMP >>${LOG} echo " " >>${LOG} endif rm -f $TMP ################################################## ## @(#)* List world writeable files (in selected areas) cp /dev/null $TMP set WDIRLIST=( /var /usr /etc /bin /lib /dev /sbin /lbin ) set WDIRLIST=( $WDIRLIST /usr/local /tmp ) foreach DIR ( $WDIRLIST ) if ( -d $DIR ) then find $DIR $XDEV -type f -perm -0002 -print >>$TMP endif end set WDIRLIST=( /users /Users /home ) foreach DIR ( $WDIRLIST ) if ( -d $DIR ) then find $DIR $XDEV -type f -perm -0002 -print >>$TMP endif end if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: World writeable FILES The FILES listed below can be written to by any user. There is generally no reason to have files like this (except perhaps for files containing game scores or the TeX ls-R file), so you should look at these files closely. You probably want to change the protections on these files, or even delete them. EOT $INDENT $TMP >>${LOG} echo " " >>${LOG} endif rm -f $TMP ################################################## ## @(#)* List all suid root files in system and user directories cp /dev/null $TMP set FARG="" if ( -x /hp-ux ) set FARG="-hidden" # including HP-UX 9.x hidden files # System directories set SUIDLIST=( /etc /bin /sbin /lbin /lib /usr /var /dev ) set AGE="" # -mtime -age in days foreach DIR ( $SUIDLIST ) if ( -d $DIR ) then find $DIR $XDEV $FARG -user root -perm -4000 $AGE -print >>$TMP endif end # User directories set SUIDLIST=( /users /Users /home /tmp ) set AGE="" # -mtime -age in days foreach DIR ( $SUIDLIST ) if ( -d $DIR ) then find $DIR $XDEV $FARG -user root -perm -4000 $AGE -print >>$TMP endif end if ( ! -z $TMP ) then cat <>$LOG ### NOTICE: All setuid root files Listed below are all files which are 'suid root' -- when run they can take on the userid of 'root'. Many system programs need this privilege, but you should try to limit the use of such programs. Be especially wary of suid root programs in user directories, temporary directories, or the /dev directories. Even if there are no problems found, you may want to save a copy of this list for future reference (to look for additions). Suid root files for $HOSTNAME at `date`: EOT $INDENT $TMP >>${LOG} echo " " >>${LOG} endif # Save a copy of the list (and save any earlier copies) if ( -f $TWSUID ) newlog $TWSUID /bin/cp $TMP $TWSUID if ( $status == 0 ) then cat <>$LOG A copy of this list has been saved as $TWSUID EOT endif rm -f $TMP ################################################## ## @(#)* Check/Initialize tripwire ## ## Tripwire: check that it can be used, and create an initial database ## if one does not already exist. (Later checks can then detect ## back-doors to login and such.) if ( -x $TWEXE ) then # check for executable if ( -d $TWDIR ) then # check for directory if ( -r $TWCFG ) then # check for configuration file if ( -r $TWDBF ) then # check for database file cat <>${LOG} ### NOTICE: Tripwire database file already exists A tripwire database file for this host already exists, so another one will not be created. If you want to start over you can build the database file yourself 'by hand', by going to the directory $TWDIR and giving the command tripwire -initialize -c tw.config Or you can delete the existing database file and then re-run this Security Inventory. EOT else cat <>${LOG} ### NOTICE: Tripwire database file not found I will use the tripwire configuration file tw.config to create a database file containing the digital signatures of important system files. By running tripwire periodically you will be able to tell if a file has been changed. Output from tripwire initialization command: EOT $TWEXE -initialize -c $TWCFG >>&${LOG} cat <>$LOG Note: even though tripwire may say something about moving the database file, it is fine where it is, in $TWDIR/databases EOT endif else # (-r $TWCFG) cat <>${LOG} ### NOTICE: No tripwire configuration file $TWCFG To use tripwire you need a configuration file listing the files and directories to be checked and specifying how strictly they are to be watched. This file, called tw.config, should be in the directory from which tripwire will be run ($TWDIR). EOT endif else # (-d $TWDIR) cat <>${LOG} ### NOTICE: No tripwire directory $TWDIR You need to specify a directory in which tripwire will be run, and that directory should already exist. A directory under it called 'databases' should also exist (but will be created if it doesn't alread exist). EOT endif else # (-x $TWEXE) cat <>${LOG} ### WARNING: Cannot execute tripwire as $TWEXE To use tripwire you need to specify the full path name of the executable file. I tried $TWEXE but it didn't work. If you don't have tripwire installed on your system you can get it from ftp://coast.cs.purdue.edu/pub/tools/unix/ids/tripwire/ (Once you set this up properly you should probably check Nigel to see that it's correct there too.) EOT endif ################################################## ## @(#)* Mail the report to root and save a copy on disk umask 077 if ( -f $LOG && ! -z $LOG ) then (echo "#### Security Inventory for $HOSTNAME from Ivan $RCSVERS" ;\ cat $LOG ) > ./${RPT} $MAILX "Security Inventory for $HOSTNAME" root < ./${RPT} if ( "$ROOT" == "" ) then cat <